Information Security

I am looking to get feedback on how others handle the review of the SOC reports for SOX vendors to ensure that the vendor controls are adequate; as well as, reviewing to ensure that Complimentary User Entity Controls are in place.  Our Risk/Product Manager for the Vendor is responsible for completing the initial review.  As a secondary review, we were trying to have our Finance team, who oversees the SOX Business Processes, Controls, and Risks complete a review of the Risk/Product Managers review to ensure that we have the controls properly addressed.  There has been some pushback with this, so I was hoping to get others thoughts on how they handle this process.  Thank you.  

Hi Michael, With regard to SOC reports, I'll offer a couple of things I learned from working at a large fortune 100 company.  First, I'm assuming you're only sending SOC 1 reports to your financial / SOX team. The SOC 1 reports are meaningful to them as they relate to the financial controls and the related ITGCs that might affect the SOX team's responsibility area.  The SOC 2 reports are more focused on the 5 trust principles and are more operationally / technical controls focused.  Along those same lines, is the organizational applicability question.  Specifically, if the SOX team maintains a list of their in scope (vendors that might impact financials), they are going to be somewhat resistant to looking at SOC reports if they are not related to their list. So, if you are wanting them to opine on a SOC 1, they probably are already reviewing it (if it's in their scope), while if you want them to review either a SOC 2 (or even a SOC 1) from a vendor that's not impactful to your organization's financial standing), you might obtain some pushback.

Just my thoughts.  I welcome anyone else's correction to my thinking, or additional clarification.

Michael, Also, let me commend the shared responsibility model that you're evidently deploying.  Without knowing your staffing levels it's hard to ascertain the level of availability the SOX team has.  If they are a financial accounting team, it certainly might make sense to have them review mission critical and other important vendor artifacts.  I know large organizations may have special third party software and other support for reviews financial strength / viability documentation and so forth, while smaller ones might depend as I've done before, on the CFOs staff to take a second look at financials.  Without knowing your specific organizations structure I can't say for certain, I just know in the one shop I worked in, the SOX team was small and barely had the staff to review the vendors that they were primarily responsible for, so we didn't leverage them very often for out of scope SOX vendors for VRM.

I'll chime in as well, but on the starter question.

As far as whether the controls are adequate, my experience with auditors is that this is determined by your policies and procedures.

Now, with that non-answer out of the way, I would recommend that you create a checklist with controls that you feel are appropriate and feasible. One way is to start with a vendor that you are confident is doing a sufficient job, and use that as a template. If you are looking at internal mitigation controls, then start with that CUEC list [or a more robust one from another vendor, and add in the vendor specific ones] and build from there.

The advantage of a checklist is that it is a relatively static thing, and shapes the review for those who feel they are either too busy or not qualified to review. Auditors often like it because it shows a consistency of review.

But, as with all things, your mileage may vary.

Here is a SOC review form we use- this is for our InfoSec officer. We also have one almost exactly the same for the SOC 1 Type 2 review.  I didn't create this so I can't take credit for it. Unfortunately, I don't remember where I got it from.

Attachment(s)

SOC2 Review Form- FOR INFOSEC OFFICER.xlsx   20 KB 1 version